15

The question is pretty much already in the title:

Can nftables and iptables/ip6tables rules be applied at the same time? If so: what's the order of precedence?

The reason I ask is this: plenty of tools - especially from the realm of containerization - still rely on iptables and ip6tables to add rules and make containerized services available or unavailable to other entities on the network. So if I want to express my standard firewall rules with nft this has to work in parallel with iptables/ip6tables.

Or is this catered by using iptables-legacy/ip6tables-legacy with update-alternatives or similar? I.e. all those containerization tools continue to use what they assume is iptables/ip6tables, but in reality it's the compatibility "layer" provided by nftables?

As for the order of precedence I'd appreciate a diagram of sorts, if available to show where rules have which precedence.

Improve this question
0

1 Answer 1

Reset to default
21

It is possible to use the kernel’s iptables and nftables simultaneously, but it requires some attention. The order in which the rules are applied is determined by the hook priority; legacy iptables default is 0, so an nft hook can be set to priority -1 if it should apply before iptables, or 1 if it should apply afterwards.

Simultaneous NAT requires a kernel >= 4.18.

iptables-nft is designed to facilitate migration to nft. Installing that alongside nft will allow programs expecting the iptables/ip6tables interface to continue working, using nftables in the kernel.

This is the approach used in current containerised environments such as Kubernetes: the containers are supposed to detect which set of tables are used by the host, and use the corresponding iptables interface (feeding the legacy tables or nftables). See Kubernetes issue #71305 for details.

The main pain point comes from combining iptables-nft and iptables-legacy: they use the same priority, so packets go through both chains and end up nowhere.

See When and how to use chain priorities in nftables for details of nftables priorities.

Improve this answer
1
  • Thanks, this helps as it provides some context. I wasn't asking with Kubernetes in particular in mind, but the problems stands to be similar no matter the exact implementation. I just mistook the meaning of iptables-<variant>, thanks for clearing that up. I also just saw: update-alternatives --display iptables ... Commented Jul 3, 2020 at 9:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.